An executive at a major global stock exchange was targeted in a stealthy attack that gradually exfiltrated their Outlook mailbox over the course of five months, researchers at Symantec and Carbon Black reported Wednesday.The attack, with an approximate 150-day dwell time, began in October 2025 and continued through March 2026, resulting in the theft of emails dating back to August 2025.The attacker utilized an Aspose-based stealer that converts Outlook Offline Storage Tables (OST) into Personal Storage Tables (PST) and writes them to .txt files for later exfiltration to cloud-based storage services, the researchers explained. Aspose is a legitimate .NET library that supports parsing of Outlook OST and PST files.The files were exfiltrated mostly to a single Dropbox account, with a secondary OneDrive Personal exfiltration channel added in late November 2025. Dropbox was accessed via the Dropbox API following an OAuth handshake, while OneDrive was contacted directly via hard-coded Microsoft IP addresses rather than the onedrive.live.com domain to evade DNS-based blocking and logging of DNS queries.The executive’s entire Outlook mailbox from August 2025 onward was stolen incrementally in two- to four-week intervals, with the first run collecting emails from August 2025 to Nov. 12, 2025, and subsequent runs picking up where the last run left off. This method resulted in continuous theft of information and broke up the data into smaller groups that were less likely to be flagged by security tools.
Related reading:
The attackers achieved persistence through the use of a scheduled task disguised as a Lenovo system health check, which ran every five hours to trigger .bat files stored in temporary directories. They later added another scheduled task disguised as a OneDrive sync service, stored at a fake OneDrive setup path, that ran every three minutes.An additional binary, disguised as an Adobe Acrobat Reader Update service, was launched on March 19, 2026, and a component named te.host.dll was also staged in an Intel-themed directory for possible sideloading against the Microsoft Test Engine (te.exe), but te.exe was never executed, the researchers noted.The fake OneDrive and Acrobat processes were found to be running as SYSTEM and were spawned by wininit.exe via the Service Control Manager, indicating local privilege escalation, although the initial access vector for the attack was not discovered, the researchers said.The researchers were not able to attribute the attack to a specific threat actor due to the use of legitimate cloud services as a command-and-control (C2) channel rather than an attacker-controlled domain.Symantec and Carbon Black noted the risks associated with the Outlook exfiltration, including the exposure of sensitive non-public information that could impact the markets, details about the executive’s calendar and travel, and the executive’s contact list. The researches published a list of indicators of compromise (IoC) to assist defenders in detecting similar campaigns.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds